Acting responsibly as a researcher who has discovered a vulnerability requires delicately balancing a question of two greater evils. Will more people get hurt overall if we announce the vulnerability sooner, or will more people get hurt overall if we wait until the vendor is ready?
In most cases, working with the vendor to allow a patch and a warning to be released is the path of least harm. But sometimes the right decision is to announce a vulnerability before the vendor has issued a patch.
Like the potential fallout of known broken "encryption" in a security vendors products being hidden from their customers for 18 months?
The ethics of publicly disclosing way quicker than that, despite what the vendor wants to label "responsible disclosure", seems pretty straightforward to me...
I hope that 18 months of conference calls was extremely lucrative for the researcher here, because I'd feel like a jerk sitting on that one for a year and a half while the vendor was no doubt selling more and more of their broken and insecure crap to unsuspecting customers...
And this right here is why “responsible disclosure” is a dumb term that people need to stop using.
Look how much time is wasted arguing over the highly subjective definition of “responsible” that breaks out. Communicating these issues would be far more optimal if we use objective language.
That was the point when Scott Culp coined that awful term in the first place. People are still taking the bait.
